Gootloader malware creators manipulate compromised websites for SEO boost to increase spread and effectiveness of malicious payload

Gootloader malware
Gootloader malware manipulates CMS to boost SEO. Pic credit: James Osborne/Pixabay

Hackers have been manipulating websites they hack into, with multiple tricks to boost their search ranking. The SEO (Search Engine Optimization) tricks significantly boost the chances of victims clicking and falling prey to malware.

A new report has revealed malicious code writers are conducting a massive cyberattack. They are using a new technique called “Gootloader,” to deliver RAT (Remote Access Trojan). Interestingly, the creators of the malware are using shady SEO tricks to deploy malware payloads to as many victims as possible.

Hackers are manipulating CMS to trick SEO and gain higher search engine rankings:

Sophos, the cybersecurity company that first discovered the new method of spreading computer malware, has created a detailed blog post. It explains how hackers have elevated their methods to boost the spread of their malicious code.

The new method uses manipulative and unethical Search Engine Optimization (SEO) tricks to push compromised websites up Google’s ranking. The method also relies largely on human psychology tricks.

There’s nothing wrong with standard SEO. Webmasters and content creators who run a website, often attempt to increase their website’s exposure on search engines such as Google or Bing. However, Sophos claims malicious code writers are now tampering with the Content Management Systems (CMS) of websites.

The end goal of manipulating CMS is to serve financial malware, exploit tools, and ransomware to as many victims as possible. And this can happen to a much greater extent when compromised websites rank higher in search results.

Gootloader with Gootkit Remote Access Trojan running massive SEO operation:

Hackers are reportedly pushing a wider variety of malware via hacked WordPress sites and malicious SEO techniques. In addition to increasing the number of payloads, Gootloader RAT has been seen distributing them across multiple regions using hundreds of hacked servers.

Incidentally, running such an attack is not only sophisticated but expensive as well. These servers must be active at all times. Researchers estimate the Gootkit Remote Access Trojan operation is running 400 servers, if not more, simultaneously.

It is not immediately clear how the hackers compromised websites. However, the attackers are going after domains with CMS running in the background. Researchers estimate attackers may have used additional malware, stolen credentials, or other well-known attacks to gain unauthorized entry.

The operators of the Gootloader RAT manipulate the CMS by adding a few lines of code. The attackers insert the lines into the body of the content. Hackers train compromised websites to answer specific search queries.

There are several checks to ensure a victim clicks on the malicious link the RAT creators insert inside legitimate-looking replies to queries. “If the right conditions are met (and there have been no previous visits to the website from the visitor’s IP address), the malicious code running server-side redraws the page to give the visitor the appearance that they have stumbled into a message board or blog comments area in which people are discussing precisely the same topic,” observed researchers.

In case a potential victim does not meet the criteria set by attackers, the browser merely displays a seemingly-normal web page. The attackers have automated the process to halt the attack if the victim doesn’t meet the expectations.

Sophos claims attackers are using the technique to spread the Gootkit banking Trojan, Kronos, Cobalt Strike, and REvil ransomware.

Notify of
Inline Feedbacks
View all comments
Would love your thoughts, please comment.x